Your message dated Thu, 22 Dec 2022 16:34:34 +0000
with message-id <[email protected]>
and subject line Bug#1020315: fixed in bind9 1:9.18.10-2
has caused the Debian Bug report #1020315,
regarding bind9: Spams /var/log/syslog with apparmor DENIED
/sys/kernel/mm/transparent_hugepage/enabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020315: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020315
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bind9
Version: 1:9.18.6-2
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]
With apparmor enabled for named, the /var/log/syslog file ends up with
allot of unnecessary DENIED messages,
as the as read access to/sys/kernel/mm/transparent_hugepage/enabled
seems to have accidentally excluded by the hardening.
Restoring the read access seems to resolve the issue, see attached patch.
Examples:
/var/log/syslog:Sep 18 00:45:12 pippi kernel: [568935.135647] audit:
type=1400 audit(1663454712.445:191): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=234038 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 01:54:18 pippi kernel: [573081.399636] audit:
type=1400 audit(1663458858.813:192): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=235380 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 03:26:40 pippi kernel: [578622.720520] audit:
type=1400 audit(1663464400.273:193): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=236920 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 04:42:21 pippi kernel: [583163.451230] audit:
type=1400 audit(1663468941.119:194): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=237915 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 05:50:00 pippi kernel: [587222.657447] audit:
type=1400 audit(1663473000.425:195): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=239109 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 07:15:15 pippi kernel: [592337.151577] audit:
type=1400 audit(1663478115.049:196): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=243061 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 08:42:55 pippi kernel: [597597.185578] audit:
type=1400 audit(1663483375.213:197): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=247004 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 09:52:30 pippi kernel: [601772.451830] audit:
type=1400 audit(1663487550.586:198): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=248343 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 11:12:27 pippi kernel: [606569.547243] audit:
type=1400 audit(1663492347.802:199): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=252396 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 12:25:25 pippi kernel: [610946.891663] audit:
type=1400 audit(1663496725.256:200): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=254642 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 13:50:03 pippi kernel: [616024.685028] audit:
type=1400 audit(1663501803.180:201): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=257604 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 15:05:34 pippi kernel: [620555.410211] audit:
type=1400 audit(1663506334.014:202): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=260179 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 16:37:47 pippi kernel: [626088.694992] audit:
type=1400 audit(1663511867.436:203): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=262246 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 18:00:21 pippi kernel: [631042.827598] audit:
type=1400 audit(1663516821.692:204): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=264295 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 19:15:41 pippi kernel: [635562.798692] audit:
type=1400 audit(1663521341.781:205): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=267350 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 20:43:37 pippi kernel: [640838.555665] audit:
type=1400 audit(1663526617.670:206): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=268844 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 21:53:28 pippi kernel: [645029.178793] audit:
type=1400 audit(1663530808.399:207): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=270477 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
/var/log/syslog:Sep 18 23:03:19 pippi kernel: [649220.506898] audit:
type=1400 audit(1663534999.831:208): apparmor="DENIED" operation="open"
profile="named" name="/sys/kernel
/mm/transparent_hugepage/enabled" pid=272038 comm="named"
requested_mask="r" denied_mask="r" fsuid=0 ouid=0
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (800, 'testing'), (300, 'unstable')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.19.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND,
TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9 depends on:
ii adduser 3.128
ii bind9-libs 1:9.18.6-2
ii bind9-utils 1:9.18.6-2
ii cdebconf [debconf-2.0] 0.264
ii debconf [debconf-2.0] 1.5.79
ii dns-root-data 2021011101
ii init-system-helpers 1.64
ii iproute2 5.19.0-1
ii libc6 2.34-7
ii libcap2 1:2.44-1
ii libfstrm0 0.6.1-1
ii libjson-c5 0.16-1
ii liblmdb0 0.9.24-1
ii libmaxminddb0 1.5.2-1
ii libnghttp2-14 1.49.0-1
ii libprotobuf-c1 1.4.1-1
ii libssl3 3.0.5-2
ii libuv1 1.44.2-1
ii libxml2 2.9.14+dfsg-1+b1
ii lsb-base 11.2
ii netbase 6.3
ii zlib1g 1:1.2.11.dfsg-4.1
bind9 recommends no packages.
Versions of packages bind9 suggests:
pn bind-doc <none>
ii bind9-dnsutils [dnsutils] 1:9.18.6-2
ii dnsutils 1:9.18.6-2
pn resolvconf <none>
ii ufw 0.36.1-4
-- Configuration Files:
/etc/apparmor.d/usr.sbin.named changed [not included]
/etc/bind/named.conf changed [not included]
/etc/bind/named.conf.local changed [not included]
/etc/bind/named.conf.options changed [not included]
-- debconf information:
bind9/run-resolvconf: false
bind9/different-configuration-file:
bind9/start-as-user: bind
--
/Stefan B. (bugreporter)
--- /etc/apparmor.d/usr.sbin.named~ 2021-11-12 14:24:13.000000000 +0100
+++ /etc/apparmor.d/usr.sbin.named 2022-09-19 21:43:35.092730212 +0200
@@ -13,4 +13,7 @@
capability sys_resource,
+ # named need to check if hugepages is avaiable.
+ /sys/kernel/mm/transparent_hugepage/enabled r,
+
# /etc/bind should be read-only for bind
# /var/lib/bind is for dynamically updated zone (and journal) files.
--- End Message ---
--- Begin Message ---
Source: bind9
Source-Version: 1:9.18.10-2
Done: Bernhard Schmidt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated bind9 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 22 Dec 2022 17:12:17 +0100
Source: bind9
Architecture: source
Version: 1:9.18.10-2
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 994696 1016646 1020315 1025519
Changes:
bind9 (1:9.18.10-2) unstable; urgency=medium
.
* Backport upstream feature to use sd_notify()
* Use systemd notify for service readyness check (Closes: #994696)
* apparmor.d: Allow named to read all OpenSSL config files.
(Closes: #1025519)
* apparmor.d: Allow named to query for hugepages support.
(Closes: #1020315)
* Fix path to README.Debian (Closes: #1016646)
Checksums-Sha1:
e33f499d761c5cac9a681df47d0abe7a2b0d4810 3201 bind9_9.18.10-2.dsc
281ce012a2ea54a5290aaa711f6976bc47d5df03 59988 bind9_9.18.10-2.debian.tar.xz
bba4ceafee27c51e52288367aaead5be031dda49 15105 bind9_9.18.10-2_amd64.buildinfo
Checksums-Sha256:
2f45dc57abe61d5bb5ad12a3133435b83806476ab793512e2fffa6dc06736ac5 3201
bind9_9.18.10-2.dsc
199c5e2d6543c288aacb0bb431be4e7c2a6c4eea9c6905c994fac188d4f54e55 59988
bind9_9.18.10-2.debian.tar.xz
cee08ebf28109f9283a7bf0c90a7666d8c0fc005519708776fe13d200162d201 15105
bind9_9.18.10-2_amd64.buildinfo
Files:
4740d6c34b0943de5f2931a4df2df8f7 3201 net optional bind9_9.18.10-2.dsc
258fa756c5ff487a9dd039ca2b7bd5e1 59988 net optional
bind9_9.18.10-2.debian.tar.xz
247ca396a97fbbfe517d00f0ed12d753 15105 net optional
bind9_9.18.10-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmOkg/0RHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJOclhAAlI33F11IPYF9Md/dVLP32dq3VsCf0N+I
iXJ7M7MlK0rXwX8DXO8CDkSZrkvxJUhjTlt1YSKkvUKZ7vMmoMouD7fTWLqGneqD
cC90sUlRDVsTXdByGFxO0VtnnQnFayf9bPE2R+NlSrq6KGqEDBmh7k81iZdyr2G5
o5Eoy6OAvRN0SuWxQYlyMboWu0TN71fV6hTyvvN1wyGCw0FkCqzPBcp387R5ybPg
/AYGOc0tWdJg+txhZvq7FI93rbj31Dyy+omqfYJDtrN6nic+SjtUKx/wshj3xbf7
OoZN9D8zyA7dkcr3ROn25bnpqTJaADfkYtLLyve2UyOcy+0dYPn6FFi0OUHP4axl
nUCq7Dpr957oPYCcSwM3OhRHt8lfQnBjsEQyP5iusVrLzkGXWNGzJjjsjmyDdXX0
gDPvtDklTlcxzlCfiWLlovtoE9X2eCKwHqhgrKUsVxMppkK5BD5CAW+3zykphcYG
tp/sD15oZu36Z2xhVh+VTwRSpiSmbVIe67UOytUJqBTIONTQGVSLW/2MgdLr5k/4
olPl18iYIyKwbwNqE/Fod043tmy9s0T8T2rkSYTZfthyMkw7CD19gJEU2kMN1oxg
ApwOM4Xzs9+Z1GY7cVkFKxa2WETG0+PMqfunxCHsnFN9Ub+O0SZaqsHo2qiRd+Mx
vy42+HGZ32E=
=5p4g
-----END PGP SIGNATURE-----
--- End Message ---
